Pierluigi Paganini
October 27, 2025
Trend Research found that the Qilin ransomware group (aka Agenda) used a Linux ransomware binary on Windows systems via legitimate remote tools, bypassing Windows defenses and EDRs. The cross-platform method enables stealthy attacks, stealing backup credentials and disabling endpoint protections through BYOVD exploits.
The Linux ransomware was deployed on Windows systems using WinSCP for secure file transfer and Splashtop Remote for executing the ransomware binary. The attackers abused AnyDesk via ATERA RMM, ScreenConnect, and MeshCentral to evade detection, and used BYOVD for defense evasion. Attackers also stole Veeam backup credentials to block recovery. Trend Micro highlights that the cross-platform tactic bypasses Windows defenses, showing evolving attacker sophistication.
“This attack challenges traditional Windows-focused security controls.” reads the report published by Trend Micro. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.”
Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June. Recently, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.
Attackers gained initial access via fake Google CAPTCHA pages hosted on Cloudflare R2, tricking users into running malicious scripts. The fake CAPTCHA pages contained obfuscated JavaScript that launched a multistage payload system, downloading additional malware from two command-and-control servers:
The pages delivered info-stealers that harvested credentials, tokens, and cookies. Stolen accounts enabled Qilin to bypass MFA and move laterally using valid user sessions.
The attackers conducted extensive reconnaissance using ScreenConnect to run discovery commands such as nltest /domain_trusts and net group "domain admins" /domain, while deploying the NetScan utility from user folders to map the network. They installed legitimate remote management tools, AnyDesk via ATERA and ScreenConnect, to maintain persistent access disguised as normal administrative activity.
For credential theft, the attackers targeted the Veeam backup infrastructure, executing Base64-encoded PowerShell scripts to extract and decrypt stored credentials from SQL databases. These scripts retrieved usernames and passwords from key Veeam tables (e.g., Credentials, BackupRepositories, WinServers), exposing domain admin, service, and local administrator accounts. This allowed the attackers to obtain privileged credentials for domain controllers, Exchange servers, SQL databases, and other critical systems.
Attackers used advanced anti-analysis techniques to disable defenses and move across the network quietly. They deployed two executables (2stX.exe and Or2.exe) that load a signed driver, eskle.sys, which performs VM and debugger checks, kills security processes, and helps the threat actors evade detection; the driver’s signature points to a Chinese game-related vendor, suggesting a repurposed cheat driver.
A separate malicious DLL, msimg32.dll, acted as a dropper. The library is sideloaded by a legitimate app like FoxitPDFReader.exe and dropped kernel drivers rwdrv.sys and hlpdrv.sys into the Temp folder. Both drivers were previously associated with kernel-level access and EDR termination in other campaigns. Analysts also found additional suspicious executables (cg6.exe, 44a.exe, aa.exe) with similar driver-loading behavior, likely using another vulnerable driver.
For lateral movement, the attackers staged multiple renamed PuTTY binaries (test.exe, 1.exe, 2.exe, 3.exe) to SSH into Linux hosts, showing a cross-platform operation that combined stealthy defense evasion with broad network reach.
The attackers created a network of distributed C2 by planting multiple COROXY SOCKS proxy instances across trusted application folders (Veeam, VMware, Adobe, USOShared), hiding malicious tunnels inside normal app traffic and ensuring redundant communications even if individual proxies were removed.
They moved a Linux ransomware binary to Windows using WinSCP and then executed it via Splashtop Remote’s SRManager to bypass Windows-focused protections.
The ransomware required a password to run and displayed detailed configuration output listing whitelisted processes, blocked file extensions, and excluded paths. Like other ransomware, it avoids targeting core system directories. Updated samples added Nutanix AHV detection and improved error/log handling. By combining BYOVD-style evasion, distributed SOCKS proxies and legitimate remote tools, the attackers achieved resilient, low-noise control and cross-platform encryption capability that undermines traditional endpoint defences and complicates recovery.
“This Agenda attack shows how ransomware operators are further weaponizing legitimate IT tools and hybrid environments to quietly bypass conventional security. Defenses must address operational blind spots and strengthen visibility and control over critical assets” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Qilin ransomware)
